Wordfence > All Options > Brute Force settings
Make the brute force settings much more strict, with the max lockout duration, so that bots aren’t continually trying to log into your site.
Wordfence > General Wordfence Options
If you’re using Cloudflare, Wordfence will only see users as coming from the CF IP address, so you need to tell WF to use the “CF-connecting-IP” header so that the real user IP is used in the firewall.
Wordfence > Login Security > Settings tab – disable XMLRPC
This will stop a large percentage of bots
